I received a response from Reddit pretty quickly after submitting it. The response told me that I must delete all of the posts and comments beforehand. I’m pretty sure this is in violation of both GDPR/CCPA as it might be physically impossible for a user to delete, say, one million comments. Of course, this ignores the fact that Reddit already restored all of the data that I’ve deleted.
No tool from reddit allows you to delete all your comments. Reddit doesn’t allow you to map all of them. You can check by yourself by searching manually in a search engine for your username and reddit.com. You will see a lot of your comments which are not shown in your comment interface.
There used to be - there was a tool that used pushshift to find things even beyond the 1000 limit, but it stopped working after pushshift was shut down last month.
Even so, thanks to the hard work of that team, there’s still a way to get everything (and I do mean everything - even stuff way beyond the 1000 index limit and stuff not found by the search engines). See https://kbin.social/m/RedditMigration/t/65260/PSA-Here-s-exactly-what-to-do-if-you-hit-the
Thanks for posting this! Finally a very clear guide to deleting all data from reddit. Being a european citizen, I am happy I can appeal to the GDPR. It’s amazing reddit is saying users must delete all their data individually before they delete it from their servers. As the author of the blog says, this is in clear defiance of the privacy law. Still, good to make them suffer some more :D
If you want your posts and comments removed, follow the instructions on our help page.
do you have the screen shot of where that link goes to as I want to see how they recommend doing it?
Posts and comments must be separately deleted before deleting your account. If not separately deleted, the content of the posts and comments will remain visible and disassociated from any account. If you want your posts and comments removed, follow the instructions on our help page.
Yeah, this is illegal. At least under GDPR. I’m not familiar with the California law.
Reddit has to delete ANY data associated with your account, and that would include the comments made.Thank you for this guide. I’ve deleted my posts and comments and requested the account to be deleted.
GDPR is great, but it would probably not apply to posts and comments as it pertains to personal data (name, address). User provided content is not generally personal data as per GDPR (though might contain some). Positing personal data is even explicitly disallowed in most subs.
One could argue they need to delete username, although it is in principle arbitrary, but they could be allowed to keep post/comment content. And this already happens as part of account deletion.
On top of this, users agreed to transferring rights when accepting TOS:
“When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world.”
Source: https://www.redditinc.com/policies/user-agreement/
Don’t confuse this with me liking what Reddit is doing, it’s a douchebag move, so we have all the reasons to distrust Reddit and be angry. I’m just trying to add nuance to the issue.
Obligatory IANAL
Reddit is bullshitting about subreddits not being deletable. Yet, GDPR helped me to force them to delete a sub named after my real name that I made long ago. So it seems GDPR works quite well.
Perils of living in Massachusetts. I hope similar laws pass federally in the United States.
That being said, I’ve been on the other side of GDPR. Getting ready for GDPR around 2017 was so much work. We initially had a lengthy confluence runbook with all the places data had to be deleted from. It took a while to automate. Painful, but it’s the right thing to do.
RE: OP
I’m pretty sure this is in violation of both GDPR/CCPA
IANAL, but I agree. In my past companies, when a GDPR deletion request comes, we follow through and delete the data. We might ask users to verify their identity but that’s about it. It should be 2-3 emails back and forth.
I hope similar laws pass federally in the United States.
Best of luck!
Since you seem to have some experience with dealing with GDPR/CCPA requests, i have a question. Couldnt US americans from other states just claim they live in California and make a CCPA request? At most you could use a VPN Server based in California (although that might be easily identifiable) or just claim you only use their service through a VPN/Proxy and you have recently moved to california. Or does a CCPA request require official documents to prove residency?